Firejail: new version of Slack Desktop (4.0) not working

@daks slack use electron, right? Related to #2854 and #2821 try adding the following to slack.local.

ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

Thanks for this quick answer but the problem is still present with this fix

Reading profile /etc/firejail/slack.profile
Reading profile /etc/firejail/slack.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 27167, child pid 27168
Warning: skipping crypto-policies for private /etc
Private /etc installed in 23.57 ms
2 programs installed in 2.01 ms
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 98.29 ms
Initializing local storage instance at path: /home/eric/.config/Slack/local-settings.json
Creating Slack Application

I assume that firejail --noprofile slack works.
Then undo the changes in slack.local and try the following, if it works try to figure out what needs to be ignored.
firejail --ignore=private-bin --ignore=private-etc --ignore=private-tmp --ignore=seccomp --ignore=nogroups --ignore=nonewprivs --ignore=noroot slack

 firejail --noprofile slack
Parent pid 2916, child pid 2917
Child process initialized in 39.16 ms
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features
Warning: an existing sandbox was detected. slack will run without any additional sandboxing features

not working...

I have no real hurry to make it run without firejail, I'm using the web UI in the meantime, I prefer to wait to have a working firejail profile to sandbox it :)

Now its interesting, looks like a loop.
sudo rm /usr/local/bin/slack (if you have a firecfg/firejail symlink)
command -v slack
cat $(command -v slack) // if it is a shell script
EDIT:
Do you use firejail as shell? Or firejailing your terminal? (If unsure firejail echo 'Hello World' should show Reading profile /etc/firejail/default.profile)

I don't think I firejail my shell (fish) or my terminal (urxtc) but

$ firejail echo 'Hello World'
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 13416, child pid 13417
Child process initialized in 132.44 ms
Hello World

Parent is shutting down, bye...

and /usr/bin/slack is not a text file.

it seems that my firefox is firejailed and... ssh?

ps ax|grep firejail
 5711 pts/10   S+     0:00 /usr/bin/firejail /usr/bin/ssh srv1
 5712 pts/10   S+     0:00 /usr/bin/firejail /usr/bin/ssh srv1
 9719 ?        S      0:00 /usr/bin/firejail /usr/bin/firefox
 9720 ?        S      0:00 /usr/bin/firejail /usr/bin/firefox
15037 pts/11   S+     0:00 grep --color=auto firejail
15886 pts/5    S+     0:00 /usr/bin/firejail /usr/bin/ssh srv2
15887 pts/5    S+     0:00 /usr/bin/firejail /usr/bin/ssh srv2

try removing name slack from slack.profile and add join-or-start slack

still the same

$ slack
Reading profile /etc/firejail/slack.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 18756, child pid 18757
Warning: skipping crypto-policies for private /etc
Private /etc installed in 53.10 ms
2 programs installed in 3.42 ms
Child process initialized in 142.00 ms
Initializing local storage instance at path: /home/eric/.config/Slack/local-settings.json
Creating Slack Application

I don't have more ideas, lets wait if someone else have an idea.

I would suggest to replace fish with dash or bash, to solve that problem. The fish shell is experimental and non-standard (not posix compatible with some weird behavior), and there are other threads related to firejail, where could be solved by dropping fish.

In fact I'm using fish.
I launched bash to execute slack in firejail and I have the same problem.
I'm not sure it has any influence.

Launched in which way? Would chsh be used to change the standard login shell? After that step you need to relogin/restart. This is important.

After chsh and restarting my X session, same problem.

https://slack.engineering/rebuilding-slack-on-the-desktop-308d6fe94ae4

Seems to be working after adding ignore private-etc to slack.local. So private-etc in slack.profile needs to be updated (but I don't have time to investigate more now).

It should be fixed now --just add debian_version to the private-etc line.

Cheers!
Fred

Wow, that's crazy. The program doesn't work if it can't determine the version of the distribution?

Thanks for finding this, I submited PR fixing this in fedora as well.

Thanks for finding this, I submited PR fixing this in fedora as well.

My bad, it actually does not fix it in fedora, I forgot to get rid of the ignore private-etc override. I will look into it later.

Fedora has also fedora-release, os-release, redhat-release, system-release
(ls -l /etc/*release).

Fedora has also fedora-release, os-release, redhat-release, system-release
(ls -l /etc/*release).

Thanks for pointing out. It works on fedora with all release files listed.

No idea what they did that a program totally breaks without OS release infos?
maybe we need more on other distros.

Thanks, I added a "slack.local" with the "private-etc" from the commit and it works :)